Learning Security from Good Hackers

“Last night, I stayed up until 6 o’clock figuring out how to do this,” says Riley “Caezar” Eller, a slender and bookish 27-year-old. Scribbling furiously on a dry-erase board covered with boxy diagrams representing a pair of networked computers, Eller maps out a novel cyberattack-a method of disabling a supposedly impregnable system with a few clever lines of code. His listeners nod each step of the way, occasionally grunting their approval. When the presentation is over and the imaginary defenses have all been surmounted, they break into polite applause.

Such demonstrations are part of the standard curriculum at the major security consultancies. But Eller isn’t giving this lecture in a sterile conference room at PricewaterhouseCoopers or Deloitte & Touche.

The setting is a subterranean hideout that closely resembles a frat house, complete with lava lamps and a rickety bar that reeks of week-old spilled Smirnoff. His cohorts – sworn enemies of office cubicles and Brooks Brothers suits – are members of an invite-only group of ace programmers, cryptography enthusiasts, and hardware wizards. Their think tank-cum-social club is known as the Ghetto Hackers.

They’re a brash, fun-loving lot who revel in their notoriety as two-time champions of Capture the Flag, the Daytona 500 of the computer underground. They also enjoy a measure of renown as hosts of a celebrated bacchanal-a combination trivia contest and Animal House-style beer blast-at Def Con, the annual hacker convention. In their civilian lives, however, these self-taught technophiles make a mint locking down servers and designing hard-to-crack networks.

Publicly, Corporate America expresses nothing but scorn for the denizens of this wired-world counterculture. Yet the Ghetto Hackers and their ilk are coveted – if controversial – players in the battle against cybercrime. While most of the major security firms insist on a hacker-free workforce, even flaunting their purity in sales pitches, a host of smaller shops are scrambling to enlist the assistance of Eller and his associates. They reason that hacker talent of their high caliber is too precious to ignore.

Bad news is good news

Hiring philosophies aside, security firms large and small agree that cybercrime has reached alarming levels. Internet security breaches cost businesses around the world upwards of $15 billion a year, according to the research firm Datamonitor. In one recent survey, conducted by the Computer Security Institute and the FBI, 85 percent of respondents reported at least one attack. High-profile debacles such as last February’s Yahoo! takedown have exposed the Net’s soft underbelly for all to see.

The resulting hysteria, coupled with a severe shortage of talent, has been a boon to savvy job-seekers, including some with the kind of after-hours hobbies that the leading lights of the security establishment claim to abhor. With security services projected to become an $14.2 billion industry by 2018-up from just $2.8 billion in 1999 – even low-tier workers expect base pay to average more than $85,000 a year. And the Ghetto Hackers are taking full advantage of a hot market.

Michael “Koresh” Bednarczyk – at 30, one of the group’s elder statesmen – is chief scientist at the Internet Security Advisors Group (known as ISAG), a highly regarded firm headed by Ira Winkler. (See “The Social Engineer”) Drew “Ender” Miller, 23, a specialist in algorithms, recently left a longtime post at Datalight, an embedded-software developer, to become a programmer at LapLink.com. Eller, for his part, is the senior architect at ClicktoSecure, which makes a security scanning program called Hailstorm. Ghetto’s ranks even include a high-level Microsoft employee, although his identity is well guarded. “They would recognize the name, and he positively would be fired,” Eller says.